What to Do If My WordPress Site Has Been Hacked


As the most popular content management system, WordPress provides exciting opportunities to develop content and attract visitors exactly as you see fit. Its unique blend of freedom and guidance may be compelling, but there's a definite downside: WordPress can be shockingly vulnerable to attacks.

WordPress sites are common targets for hackers because the platform is widely used and often relies on third-party plugins, themes, and hosting environments that need regular updates and security maintenance. Weak passwords, outdated software, vulnerable plugins, and stolen login credentials can all give attackers a way into your site.
If you think your WordPress site has been hacked, acting quickly can help limit damage and protect visitors. We explain how to tell if your site has been hacked, what to do first, how to fix the issue, and how to prevent future WordPress hacks. If you need help right away, SiteLock 911 can help scan your site, remove malware, and restore control.
Signs your WordPress site has been hacked
If you notice unusual site behavior, your WordPress site may have been hacked. Some attacks are obvious, while others stay hidden until a visitor, search engine, or your hosting provider flags a problem.
- Website behaving strangely - Sometimes, it’s hard to pinpoint the issue. Something just feels off. If your WordPress site isn’t operating normally, trust that instinct and investigate. Even if it is not an attack, you may uncover performance, security, or design issues worth fixing.
- Unexpected redirects - Some WordPress attacks use redirects that send website visitors to spam sites. This may occur as they're sent to new destinations via links, although it's also possible to experience redirects from search engine results pages. These redirects typically result from targeted malware. If not addressed quickly, these malicious redirects could result in flagged results or even a blacklisting from Google.
- Spammy on-site content - While malicious redirects lead to spam content on outside websites, spam can also potentially take over your own WordPress site. This can involve compromised plugins or themes, so it's important to always be vigilant when selecting and moving forward with downloads.
- Warnings from Google or web host - Few things can scare away website visitors faster than seeing Google’s “this site may be hacked” warning message. This appears when Google detects suspicious activity, warning visitors that while they can still access the site, they should do so at their own risk. This is often a sign of a hack and also a warning that a prompt response is crucial. Otherwise, the long-term impact on your SEO could be devastating.
- Unexplained accessibility issues - Website administrators and users instinctively know when their pages aren't working as usual. Popup ads that were never an issue before can turn a useful WordPress site into something completely unreadable. Brute force intrusion attempts can also slow down the entire browsing experience, leaving users struggling to access desired content or more willing to head elsewhere.
Immediate actions to take if your WordPress site was hacked
A prompt response can make all the difference in limiting the effects of a WordPress attack. To prevent long-term damage, take action immediately:
1. Use maintenance mode
Don't subject legitimate users to an obviously broken website. WordPress offers a Maintenance Mode solution that displays an official-looking notice to visitors. While Maintenance Mode is typically associated with website redesigns or WordPress updates, it's also a viable option as you work on fixing security concerns. During updates, Maintenance Mode involves a .maintenance file, but it's also possible to achieve this end by applying a strategically designed plugin.
2. Change all passwords
Change passwords for every account connected to the site, including WordPress admin users, hosting, cPanel, SFTP, SSH, and any related email accounts. Do not reuse credentials.
If you suspect stolen login details or learn that credentials may have been exposed in a breach, treat every connected account as compromised. You should also reset the WordPress authentication keys and salts in wp-config.php so existing session cookies are invalidated and logged-in users are forced to sign in again.
3. Contact the hosting provider
Reaching out to your hosting provider could provide valuable insight into the source of the attack, as these can originate from shared hosting providers. Keep in mind that the hosting environment could have played a key role in the hack, so it may be time to switch to a new hosting solution.
4. Scan your site and remove all malicious code
Malware can hide in WordPress files, plugins, themes, uploads, and database entries, so cleanup should go beyond removing the first suspicious file you find. Use a trusted website scanner and remediation service to identify malicious code, suspicious redirects, spam injections, unfamiliar admin users, and other signs of compromise. SiteLock 911 is built to quickly repair and restore hacked websites.
Manual removal is possible but time-consuming. An automated scanning and removal solution can help identify and clean threats more thoroughly.
5. Check admin accounts
Audit permissions and admin accounts to limit the number of people who have access to core files and the WordPress dashboard. This is a prime area to apply the rule of least privilege, which mandates that administrative access should only be granted when and where it is absolutely essential.
6. Restore from a clean backup
The longer your website remains compromised or inaccessible, the more your reputation suffers and the worse the impact will be on your bottom line. If your WordPress site was properly backed up, restore the latest clean backup from before the compromise. This will let you turn the clock back and revert to full functionality.
7. Scan admin computers for malware
If your WordPress site was compromised, the computers being used to maintain it may also need to be checked. Scan all devices used to access WordPress, hosting, or related accounts to help prevent further issues.
Common WordPress vulnerabilities
WordPress vulnerabilities take every form imaginable. Given the open-source nature of WordPress and its PHP scripting language, threats emerge on a regular basis. It can be difficult even for well-informed administrators to keep track of every threat facing the WordPress core and files in general.
We've highlighted a few of the most common issues below:
Weak passwords
Most users are well aware of the importance of strong passwords, and yet, may still opt for simple, easy-to-guess passwords that make their accounts vulnerable to brute-force attacks. The scope of this problem should not be underestimated; the 2026 Verizon Data Breach Investigations Report reveals that stolen credentials remain a major security risk.
Out-of-date software
The WordPress themes and plugins that make the platform so compelling also form some of its riskiest elements. Both these and WordPress core need to be updated regularly because attackers often look for known vulnerabilities in outdated, unsupported, or poorly maintained software.
These vulnerabilities can expose your site to a wide range of issues, including:
- DDoS attacks: A flood of traffic can overwhelm your site, making it slow, unstable, or completely inaccessible to visitors.
- Phishing and spam emails: A compromised site may be used to deceive users, send spam, or damage your domain reputation.
- SQL injection (SQLi): Vulnerable forms, plugins, or custom code can allow malicious commands to reach your site’s database.
- Cross-site scripting (XSS): Malicious scripts may be injected into trusted pages, leading to unwanted pop-ups, redirects, or exposed session data.
- Spam content and malicious redirects: These issues can damage user trust, hurt SEO performance, and reduce search engine visibility.
Plugin and theme backdoors
Almost 100 WordPress themes and plugins were the victim of a PHP backdoor hack in January 2023, further illustrating the need for more than just the standard WordPress security plugin and other bare-bones measures. Backdoor attacks are named after intruders who sneak in through the proverbial “backdoor” and go unnoticed in the system, making them hard to detect.
Vulnerable file permissions
Users completing the initial WordPress installation often fail to ensure that important files and folders have the proper permissions attached to them. Core files such as the wp-config.php file and index.php file are particularly prone to attacks.
Insecure hosting provider
Hosting environments play a huge role in general website security. Often, however, administrators rely on band-aid approaches, rather than fixing the root of the issue: a poor hosting solution that fails to protect individual websites. This is a common concern with shared hosting, which, although affordable, is prone to security problems.
What security measures should I take after an attack?
Once you've suffered an attack, you'll be extra eager to prevent future issues. The steps you take now can limit the potential for additional interference.
Update WordPress and plugins
Outdated WordPress themes and plugins are among the most common attack vectors, but this is another vulnerability that can be relatively easy to fix. The WordPress admin dashboard provides insight into available updates. The WordPress Site Health tool can also be a valuable resource.
Don't forget to check the plugins or themes tabs from the wp-admin area, as these highlight both current versions and potential updates. If you require a full WordPress update, you can do so with help from the simple one-click Update Now button. Otherwise, FTP is a viable option for updating WordPress.
Clean sitemap and resubmit to Google
After the hacked content is removed, check Google Search Console for Security Issues, Manual Actions, and indexing warnings.
Once everything is completely fixed, regenerate and resubmit your sitemap. Next, request a review if Google flagged the site for malware, spam, or harmful redirects. This step helps Google confirm that the hacked WordPress site has been cleaned, but recovery may not be immediate, so continue monitoring impressions, rankings, and warnings after the fix.
Reinstall WordPress if compromised
When in doubt, a full reinstall should provide peace of mind. There are several different ways to accomplish this, including FTP or the official 5-Minute WordPress installation process.
Clean out hacked database
Access the phpMyAdmin dashboard to clean out any malicious data. Cleaning the data can be completed manually, but services such as SiteLock 911 and SiteLock 911 Plus provide a more reliable and swift means of cleansing, scrubbing, or validating compromised databases.
Install a WAF
A web application firewall (WAF) is highly recommended for modern WordPress sites. Find a reputable firewall provider to limit unauthorized access. This should act as a trusted gatekeeper, providing a strong layer of security for your WordPress site.
Limit login attempts
Repeated logins are often a tell-tale sign of brute force efforts. While strong passwords are essential, you can also stop hackers in their tracks by limiting how many times they can try to log in.
Use two-factor authentication
These days, passwords alone are often not enough to keep your site secure. Instead, opt for two-factor authentication, which combines traditional passwords with other means of verification.
Implement SSL encryption
Secure Sockets Layer (SSL) encryption establishes secure connections between clients and servers. This prevents sensitive data from being accessed by third parties. Once the protected data has reached its final destination, it can be decrypted and accessed by authorized parties.
Acquiring an SSL certificate is a must; this will enable HTTPS. There are multiple types of SSL certificates, so think carefully about what you want to accomplish before you seek one for your WordPress site. Depending on your situation, you may be able to secure this via your web host or from a Certificate Authority.
Regularly backup your site
In the immediate aftermath of a breach, you may realize that your previous backup strategy was not sufficient. At a minimum, you need weekly WordPress backups to ensure that your website is swiftly returned to a somewhat recent status. Daily backups are far better, however. The sooner you up your backup game, the better.
If you're like many administrators, you cannot possibly hope to handle daily backups all on your own. Thankfully, this process can be outsourced to a security service, which can handle backups on your behalf. This will ensure that should the worst-case scenario arise, you'll be prepared with a recent backup.
Preventing future WordPress hacks
Once your site is clean, the next step is to reduce the risk of another attack. By this point, you should have a clearer understanding of what went wrong and which WordPress vulnerabilities may have left your site exposed. These ongoing preventative measures can help strengthen your site moving forward:
Ensure passwords are secured
Strong passwords are the bare minimum of any proper security strategy. Once you've reset them all, continue to emphasize password security to prevent future breaches.
Keep everything updated
Updates may be top of mind in the immediate aftermath of a hack, but it's unfortunately typical to pay less and less attention to these over time. Without a clearly defined process for updating (or outside help), you risk once again falling behind and leaving your WordPress site vulnerable to new hazards.
Begin by scheduling a specific time each week or month to review updates. Consider implementing a site manager so you can more easily keep track of these. Managed hosts and third-party maintenance services can also be valuable.
Use a WordPress security plugin
A WordPress security plugin can help reduce the risk of future hacks by adding regular scans, login protection, activity tracking, and WordPress-specific hardening controls. Look for a plugin that is easy to manage, does not slow down your site, and helps protect against common attack paths.
SiteLock’s WordPress security plugin combines cloud-based scanning, security checks, login hygiene tools, activity logs, site health visibility, and one-click hardening controls in a single plugin. It is free to install, with paid options available for broader protection such as malware remediation, firewall protection, and CDN capabilities.
Use trusted plugins and delete those that are unused
Research and vet every plugin carefully. Only add plugins and themes that you're confident you need and delete those you no longer use.
Find a reputable hosting company
If you're not happy with the quality of your hosting environment, you're always welcome to change. A different hosting setup could protect your WordPress website from future attacks.
Protect your WordPress site with SiteLock
If your WordPress site has already been hacked, SiteLock 911 can help scan your site, remove malware, and clean up malicious code so you can regain control. Once your site is clean, SiteLock’s WordPress security plugin can help strengthen ongoing protection with security checks, login protection, activity tracking, site health visibility, and WordPress-specific hardening controls.
Check out our solutions or reach out to learn more.